Re: [FW-1] checkpoint | cisco concentrator [design thoughts]

[Rob Schrack [Permanent Link]]

Re: [FW-1] checkpoint | cisco concentrator [design thoughts]Authentication is 
being provided via radius with an active directory backend.  We tend to use AD 
groups for employee/researcher types and individual accounts with far more 
restrictive FW-1 rules for vendors and others.  

The whole idea was to keep the concentrator config as simple as possible.  All 
rules to limit user access are on the Checkpoint box.  The link between the 
concentrator & firewall is tapped, so we can also throw in a sniffer or IDS box 
if we feel the need.

My apologies for the tone of my original reply... I should know better than to 
reply when exhausted.

Rob


  ----- Original Message ----- 
  From: Ray 
  To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM 
  Sent: Thursday, May 26, 2005 10:33 AM
  Subject: Re: [FW-1] checkpoint | cisco concentrator [design thoughts]


  Yes, correct, I didn't phrase that properly. One issue I would see with your 
  method is that the external interface of the concentrator is still fully 
  exposed to the Internet. I feel better having Check Point's stateful 
  firewall in front of everything because, well, it is a firewall. 

  With your method, how do you know that the traffic coming off the internal 
  interface of the concentrator is authorized? Is there any way for you to 
  limit down the concentrator trafic by user or are you doing that on the 
  concentrator itself? 

  Take care, 

  Ray 



  >From: Rob Schrack <rob_schrack AT URMC.ROCHESTER DOT EDU> 
  >Reply-To: Mailing list for discussion of Firewall-1 
  ><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM> 
  >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM 
  >Subject: Re: [FW-1] checkpoint | cisco concentrator [design thoughts] 
  >Date: Thu, 26 May 2005 00:24:52 -0400 
  > 
  >Re: [FW-1] checkpoint | cisco concentrator [design thoughts]Short circuit 
  >around the firewall?  That's not putting it in front, that's putting it in 
  >parallel. 
  > 
  >Our 3030 is entirely in front of our firewall.  It's external interface is 
  >plugged into the same router as our IP530's external interface.  It's 
  >internal interface is plugged INTO the IP530.  That way I can filter 
  >inbound 
  >destinations & ports using the decrypted traffic.  Plus I can do it using 
  >the same FW-1 policy that I do for anything else trying to come in from the 
  >Internet. 
  > 
  >Rob 
  >----- Original Message ----- 
  >From: Ray 
  >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM 
  >Sent: Wednesday, May 25, 2005 11:12 PM 
  >Subject: Re: [FW-1] checkpoint | cisco concentrator [design thoughts] 
  > 
  > 
  >Nothing, repeat NOTHING, in my company is in front of a firewall. The 
  >question is not whether it should be behind a firewall, the question is why 
  >it should be exposed to the Internet when it could be put behind a 
  >firewall. 
  >I had a 3030 concentrator behind CP for awhile and it worked fine. We used 
  >UDP Encapsulation. We filtered everything hitting the concentrator to make 
  >sure only the needed ports and protocols were allowed. Putting it in front 
  >of the firewall = a potential short circuit around the firewall. A small 
  >potential to be sure, but it's still there and does not need to be. 
  >Ray 
  >>From: ". security" <firewall_security AT HOTMAIL DOT COM> 
  >>Reply-To: Mailing list for discussion of Firewall-1 
  >><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM> 
  >>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM 
  >>Subject: [FW-1] checkpoint | cisco concentrator [design thoughts] 
  >>Date: Wed, 25 May 2005 20:09:56 -0500 
  >> 
  >>We are going over a new network design, and trying to determine if this is 
  >>overkill.  Is it necessary to put a Cisco concentrator behind a firewall? 
  >>I 
  >>haven't been able to find a a lot of documentation indacting that it's 
  >>necessary. 
  >> 
  >>Here's the design we've come up with: 
  >>-public interface, located in the dmz statically NATd to a public address 
  >>-private interface also located in the same DMZ but on a different network 
  >>this interface is pointed towards the internal network. 
  >> 
  >> 
  >>internet 
  >>    | 
  >>[firewall]-------------------------------------------------|DMZ 
  >>       |          |                              | 
  >>       |        public int [NATd]      private int [faces back to internal 
  >>net] 
  >>       | 
  >>internal network 
  >> 
  >> 
  >> 
  >>thoughts? 
  >> 
  >>================================================= 
  >>To set vacation, Out-Of-Office, or away messages, 
  >>send an email to LISTSERV AT amadeus.us.checkpoint DOT com 
  >>in the BODY of the email add: 
  >>set fw-1-mailinglist nomail 
  >>================================================= 
  >>To unsubscribe from this mailing list, 
  >>please see the instructions at 
  >>http://www.checkpoint.com/services/mailing.html 
  >>================================================= 
  >>If you have any questions on how to change your 
  >>subscription options, email 
  >>fw-1-owner AT ts.checkpoint DOT com 
  >>================================================= 
  >================================================= 
  >To set vacation, Out-Of-Office, or away messages, 
  >send an email to LISTSERV AT amadeus.us.checkpoint DOT com 
  >in the BODY of the email add: 
  >set fw-1-mailinglist nomail 
  >================================================= 
  >To unsubscribe from this mailing list, 
  >please see the instructions at 
  >http://www.checkpoint.com/services/mailing.html 
  >================================================= 
  >If you have any questions on how to change your 
  >subscription options, email 
  >fw-1-owner AT ts.checkpoint DOT com 
  >================================================= 
  > 
  >================================================= 
  >To set vacation, Out-Of-Office, or away messages, 
  >send an email to LISTSERV AT amadeus.us.checkpoint DOT com 
  >in the BODY of the email add: 
  >set fw-1-mailinglist nomail 
  >================================================= 
  >To unsubscribe from this mailing list, 
  >please see the instructions at 
  >http://www.checkpoint.com/services/mailing.html 
  >================================================= 
  >If you have any questions on how to change your 
  >subscription options, email 
  >fw-1-owner AT ts.checkpoint DOT com 
  >================================================= 

  ================================================= 
  To set vacation, Out-Of-Office, or away messages, 
  send an email to LISTSERV AT amadeus.us.checkpoint DOT com 
  in the BODY of the email add: 
  set fw-1-mailinglist nomail 
  ================================================= 
  To unsubscribe from this mailing list, 
  please see the instructions at 
  http://www.checkpoint.com/services/mailing.html 
  ================================================= 
  If you have any questions on how to change your 
  subscription options, email 
  fw-1-owner AT ts.checkpoint DOT com 
  ================================================= 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================